JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Integrated Lights Out Manager (ILOM) 3.1

Security Guide

search filter icon
search icon

Document Information

1.  Oracle ILOM Security Principles and Considerations

Key Deployment Security Considerations for Oracle ILOM

Important Security Principles for Oracle ILOM

General Security Principles

Basic Security Principles

2.  Oracle ILOM Security at Deployment

Understanding the Default Settings of Oracle ILOM

Changing the Default root User Account

Understanding User Roles and Privileges

Enabling or Disabling Unwanted Services to Control Open Ports

Understanding the Single Sign-On Feature

Configuring the Oracle ILOM Web Interface for Maximum Security

Using SSL Certificates

Understanding Web Security Settings

Configuring the Web Interface Session Time-Out

Configuring the Oracle ILOM CLI for Maximum Security

Configuring the CLI Session Time-Out

Understanding SSH Key Generation

Using User SSH Keys

Configuring SNMP for Maximum Security

Differences Between SNMPv1/v2c and SNMPv3

SNMP Security Guidelines for Choosing Whether to Enable Sets

Understanding the Engine ID

Configuring Ws-Man for Maximum Security

User Authentication Services and Security

Configuring Banner Messages

Security Implications of Enabling Sideband Management

Security Considerations for a Local Management Connection

3.  Oracle ILOM Security After Deployment

Understanding the KCS Interface to Oracle ILOM

Understanding the LAN Interconnect Interface for Oracle ILOM

Connecting to Oracle ILOM Using Secure Protocols

Using IPMI 2.0 To Ensure Traffic Is Encrypted

Using Remote KVMS Securely

KVMS Encryption

Multiple User Sessions and Remote KVMS

Using the Host Lock Feature to Prevent Unauthorized Use

Using Serial Console Redirection (start /HOST/console)

Monitoring Audit Events to Find Unauthorized Access

Understanding the Physical Presence Check Feature

Changing Administrator Passwords Frequently

Updating to the Latest Firmware

Configuring the Oracle ILOM CLI for Maximum Security

This section describes how to best configure the Oracle ILOM command-line interface (CLI) for maximum security. This section contains the following topics:

Configuring the CLI Session Time-Out

The Oracle ILOM command-line interface (CLI), which is accessed by connecting to Oracle ILOM over the Secure Shell (SSH) protocol or by using a serial connection, has a configurable session time-out. The session time-out determines how many minutes will lapse until an inactive command-line session is automatically logged out. This feature reduces the risk of an unauthorized user finding an unattended computer with an authenticated session to Oracle ILOM.

By default, there is no CLI time-out configured. For maximum security, configure a CLI time-out in any environment where the Oracle ILOM CLI is used on a shared console. The CLI time-out is configured in minutes. Ideally, set the time-out to 15 minutes or less on an unattended session that remains connected to Oracle ILOM.

For information about setting the CLI session time-out, see the Oracle ILOM 3.1 Configuration and Maintenance Guide.

Understanding SSH Key Generation

Oracle ILOM provides a Secure Shell (SSH) server capability, allowing remote clients to connect to Oracle ILOM securely to manage Oracle ILOM through the command-line interface. The SSH protocol uses server-side keys to encrypt the channel and secure all communication. SSH clients also use these keys to verify the authenticity of the SSH server.

Oracle ILOM generates server SSH keys on the first boot of a factory default system. This ensures that Oracle ILOM on each server has a unique set of keys. In addition, these keys can manually be regenerated using the Oracle ILOM web and command-line interfaces in the event that new keys are needed.

For information about regenerating SSH keys, see the Oracle ILOM 3.1 Configuration and Maintenance Guide.

Using User SSH Keys

The Oracle ILOM command-line interface provides the ability to use user SSH keys for authentication instead of a password. This mechanism uses a secure public/private key pair and provides a stronger alternative to standard user passwords. Use these user SSH keys when writing automated scripts that connect to the Oracle ILOM command-line interface over SSH, as this will prevent having to embed cleartext passwords in a script file.

For more information about using user SSH keys, see the Oracle ILOM 3.1 Configuration and Maintenance Guide.